- 最新
- 最多得票
- 最多評論
You're spot on!
It's important to remember that some resources are not tied to a traditional network boundary.
For example:
- Lambda (if deployed within a VPC), EC2, RDS would all have VPC components tied to them such as Subnets, Security Groups.
- SNS, SQS, DynamoDB, etc do not have traditional VPC components associated with them.
Now. If your resources are within/tied to a VPC (Lambda, EC2 come to mind), and need to communicate with a service - you can then use a VPC Endpoint to allow direct connection over the AWS backbone to connect to the service. That's where the VPC endpoints will come into play. Keep in mind that depending on your company's structure, you may need to use a NAT Gateway to connect outbound to other things (for example google.com).
In this use case, VPC Endpoints can often be the most direct path. However, if your resources are not configured within a VPC (for example, a Lambda without a VPC), no such endpoints are needed.
Check out: https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-interface.html.
Endpoint Policy information: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html
AWS Services that support Privatelink: https://docs.aws.amazon.com/vpc/latest/privatelink/integrated-services-vpce-list.html
I'm not 100% clear what you want to do, anyway VPC Endpoints are used to connect to AWS services from inside a VPC without using public traffic. https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints.html
I don't know how is publishing SNS, but it looks it's something outside AWS.
So in your case it seems to be something like this:
{External to AWS} -> SNS -> SQS -> Lambda -> DynamoDB
For obvious reasons External to AWS to SNS is via public traffic (the normal internet) The traffic between SNS and SQS and between SQS and Lambda is fully managed by AWS, so no much you can do there.
Once the event arrives in Lambda you can have 2 solutions:
- Lambda is deployed not in a VPC, and so the traffic between Lambda and DynamoDB is via public traffic
- Lambda is deployed in a VPC and you want to use VPC Endpoint (Gateway endpoint) to DynamoDB, in this case the traffic is kept internally to the VPC.
Be aware that if you deploy your Lambda in a VPC you have some other restrictions, like that lambda won't have direct access to the internet and you would need a NAT in your VPC for the lambda to access internet.
相關內容
- 已提問 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 5 個月前
Thanks @jsonc for your answer. I really appreciate that. Believe me, before asking this question here, I have gone through a lot. What you have suggested is absolutely correct. Please help me further on this:
Thanks in advance